Editors

Get Updates via E-mail

Disclaimer

The content of this blog is intended for informational purposes only. It is not intended to solicit business or to provide legal advice. Laws differ by jurisdiction, and the information on this blog may not apply to every reader. You should not take, or refrain from taking, any legal action based upon the information contained on this blog without first seeking professional counsel. Your use of the blog does not create an attorney-client relationship between you and Arnold & Porter LLP. Click here to view additional disclaimer language.

Copyright 2008-2016 Arnold & Porter LLP

EU

October 13, 2015

On October 6, 2015, the Court of Justice of the European Union (CJEU) issued a decision that invalidates the current U.S.-European Union Data Protection Safe Harbor Framework. The Safe Harbor Framework, which the EU Commission had determined 15 years ago provides adequate protection for personal data transferred from the EU to the United States under the EU’s data protection directive (Directive). More than 4,000 US based businesses have relied upon this framework. The decision might well impact US multinational companies that have relied on the safe harbor to move data from the EU to the United States for review as part of an internal investigation. Thus, the CJEU decision is a radical upset to the daily operations of thousands of companies involved in the movement of significant amounts of personal data across transatlantic borders.

The CJEU decision stemmed from a challenge lodged by a European Facebook user to the Irish data protection authority (DPA). The challenger claimed Facebook transferred some or all of his Facebook data from Facebook’s EU-based servers in Ireland to its US servers and alleged, parroting a largely debunked allegation of Edward Snowden from 2013, that the NSA had unrestricted access to data stored on Facebook’s servers. After the Irish authority dismissed his complaint, ruling that under an EU Commission decision, the Safe Harbor Framework gave the claimant enough protection under the Framework, his appeal ultimately wound up at the CJEU.

In its blockbuster decision, the CJEU first invalidated the EU Commission’s decision that the Safe Harbor Framework was adequate. The CJEU found that because the EU Commission’s decision approving the Framework provides an exception for “‘national security, public interest, or law enforcement requirements’ . . . “[US] public authorities . . . have access on a generalised basis to the content of electronic communications” and that these authorities “must be regarded as compromising the essence of the fundamental right to respect for private life.”

In perhaps a more significant development in the long run, as part of its reasoning the CJEU held that “the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities.” In other words, DPAs are required to assess independently the compliance with the Directive, and an EU Commission decision does not prevent a DPA’s continuing oversight of transfers of personal data to third countries.

As an immediate practical matter, the CJEU judgment does not prohibit transfers of personal data from the EU to the United States. But it does preclude reliance on the Framework as the legal basis to make such transfers consistent with the Directive. Therefore, businesses that relied on the Safe Harbor to legitimize those transfers will need to re-assess their options for compliance with the Directive. The decision also underscores the need for U.S. companies—and the U.S. government—to engage in the public dialogue necessary to build trust across the Atlantic and to clarify the meaning and application of U.S. law to US law enforcement and intelligence activities.

The EU Commission has publicly indicated that it is planning to release “clear guidance” for DPAs in the wake of the ruling. Yet, guidance coordinated with the DPAs would be more helpful, as the CJEU’s decision has undermined the EU Commission’s ability to speak authoritatively on this issue. Meanwhile, many of the DPAs have announced publicly that they are taking time to consider fully the implications of the CJEU judgment. Businesses should do the same, but should not delay in taking steps to address how to best deal with EU-to-US transfers of personal data in accordance with the Directive without reliance on the Safe Harbor.

July 22, 2015

The United Kingdom Government has recently enacted legislation similar to California’s groundbreaking Transparency in Supply Chains Act to address the issues presented by modern day slavery and human trafficking. All companies carrying on business in the UK are potentially affected by the Modern Slavery Act 2015 (the UK Act), which includes new requirements for businesses to publish a statement setting out the steps that they adopt to prevent slavery and human trafficking in their supply chains.

The UK Government has indicated that these provisions will come into force in October 2015. The California law, as we have noted, is already in effect, and the California Attorney General is undertaking an effort to encourage compliance and potentially to seek court orders requiring non-compliant businesses to comply with the law.

In addition to requiring businesses to disclose their anti-slavery efforts, the UK Act consolidates pre-existing offences of slavery and human trafficking and increases the maximum penalty for such offences up to life imprisonment for the most serious offences, with lesser reporting and compliance offences attracting sentences of up to 5 years imprisonment or an unlimited fine. It establishes the office of the Independent Anti-slavery Commissioner, whose role is to prevent, detect, investigate and prosecute slavery and human trafficking offences as well as to identify the victims of those offences.

Companies or partnerships that carry on a business or part of a business in any part of the UK, supply goods or services in the UK, and have total annual turnover above the -- yet to be determined -- minimum threshold will be required to publish a statement. The UK Government is currently consulting on the minimum threshold and will fix this via further regulations. It seems likely that the focus will be on larger businesses, because these are best placed to influence conduct in their respective market sectors.

The slavery and human trafficking statement will need to cover the steps the organisation has taken during the financial year to ensure that slavery and human trafficking is not taking place in any of its supply chains, and in any part of its own business. The statement must be published on the organisation’s website, similar to the California requirement. Unlike the California law, however, the UK Act does not require that certain topics be covered in the statement but instead includes a non-exclusive list of topics that are similar to those that the California law specifies.

It seems likely that current disclosures under the California law will generally comply with the UK Act, but one key difference is that companies doing business in the UK must have their statements approved by their boards of directors. This is intended to encourage discussions of corporate social responsibility programmes at the highest level, where other requirements like the US Securities and Exchange Commission’s conflicts minerals rule are already prompting a renewed focus not only strict compliance but also on governmental and public relations issues.

May 02, 2014

Foreign businesses need to tread carefully when planning online advertising campaigns which target or have reach to the UK market.

The main enforcer of advertising in the UK is the Advertising Standards Authority (ASA). The ASA is an independent regulator, set up by the advertising industry body Committee of Advertising Practice (CAP) to enforce CAP’s self-regulatory codes for broadcast advertising (BCAP Code) and non-broadcast advertising (CAP Code). The self-regulatory regime sits alongside the legislative framework controlling unfair commercial practices, including the Consumer Protection from Unfair Trading Regulations 2008 (CPRs) and the Business Protection from Misleading Marketing Regulations 2008 (BPRs) (which implement European Union law on unfair commercial practices, and misleading and comparative advertising respectively), as well as industry-specific legislation governing advertising of alcohol, diet products, food products, financial services, tobacco products, pharmaceuticals, and health and environmental products and services.

The ASA regulates most forms of advertising, from magazine and newspaper adverts to posters, television, radio and direct mail advertising. The ASA also has power to investigate complaints relating to online advertising, including banner adverts, paid-for (sponsored) searches and, since 2010, marketing on companies’ own websites and on non paid-for space under their control, such as social networking sites like Facebook and Twitter.

Given the ASA’s reach extends to online advertising in traditional paid-for spaces such as Google, but also claims and adverts made on a company’s own website or their social media pages, what are the risks for foreign businesses?

If a foreign business is launching a UK-based advertising campaign, then it should carefully comply with the Codes and the legislative framework (more detail below). The ASA has limited scope to deal with complaints about adverts that originate outside the UK, although, depending on the country of origin, the ASA will often refer a complaint to the relevant advertising regulator in that country for their investigation. Twenty-four European countries are members of the European Advertising Standards Alliance (EASA), an alliance which promotes reciprocity among national advertising regulators and has a cross-border complaints system.

The United States is not a member of the EASA; nor does it have a reciprocal arrangement with the UK for referring cross-border advertising complaints. The ASA has said, however, that it will take steps to act on complaints about adverts which do not originate from the UK, but are directed at UK consumers. The ASA’s guidance says that “directing” an advert at UK consumers may include showing any applicable prices in GBP(£), including UK contact details (for example, for customer service or website enquires) or using a <<.co.uk.>> gTLD, irrespective of where the organisation is established.

So what do foreign businesses need to do to comply with the UK Codes? Under the CAP and BCAP Code, all advertising in the UK (or targeting the UK market) must be legal, decent, honest and truthful, respect fair competition and be prepared with a sense of responsibility to consumers and to society. In addition, advertising must not mislead (or be likely to do so) directly or by omission or by presenting information in an unclear, unintelligible or ambiguous manner or by exaggeration, and advertisers must be capable of objectively substantiating their claims (express of implied) by documentary evidence if they are challenged. Mere “puffery” is allowed, but only where the claim is obviously exaggerated or subjective (for example, a claim that a product is “out of this world” would not be construed literally). The ASA is extremely active in monitoring and adjudicating advertising and we have seen numerous occasions where business’ creative advertising, bold claims or attempts at puffery have been found to breach the Codes. For example, the ASA has consistently found that claims such as “best”, “most advanced”, “better”, “best value” have fallen foul of the Codes; although these claims may be considered as puffery in other jurisdictions, the ASA would require the marketer to show that it is indeed the “best” or “most advanced” in the class, by way of documentary evidence. A solution in these cases could be to highlight the superior elements of the product or service advertised, such as it being “lightest in class” or “smallest on the market” if evidence bears that out. Care should also be taken to avoid advertising that, for example, glorifies alcohol consumption (see our post here by way of illustration), excessive speed while driving (see here) or makes inappropriate “organic” claims (see here).

The ASA’s powers to sanction infringers are fairly limited; they have no power to impose fines, but they can order non-compliant advertisers to take down all infringing adverts. Rulings are published weekly in full detail on the ASA’s public website (the so-called “name and shame” system). The ASA is also able to refer serious or persistent breaches of the Codes to local weights and measures authorities (local authority regulators that have powers to investigate traders acting outside the law) and to the Competition and Markets Authority, which have greater powers to enforce consumer protection legislation under Part 8 of the Enterprise Act 2002.

Foreign businesses targeting the UK market should therefore take care to review their advertising and marketing practices prior to publication. Crucially, advertising which is seen as mere puffery abroad may not be in the UK. Businesses must therefore ensure that they hold documentary evidence to prove all claims (express or implied) which are capable of objective substantiation, and take care to comply with the Codes, not only in respect of traditional advertising on television, billboards and in magazines, but also online and on their own websites if directed at the UK market.

March 20, 2014

When the US Congress enacted a law addressing the use of four minerals to finance armed conflict in Central Africa as part of the 2010 Dodd–Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank), the European Parliament passed a resolution welcoming the new development and seeking proposed legislation “along these [same] lines”. More than three years later, the European Commission finally answered the Parliament’s request, but has proposed to address the issue in ways that sharply diverge from Dodd-Frank. The Commission proposal, issued March 5, 2014, would introduce a system of voluntary self-certification by mineral importers as opposed to the mandatory reporting by product makers under Dodd-Frank, would cover a greater geographical area than Central Africa, and would rely on individual EU Member States to administer the regulation.

The Commission likely benefitted from observing the difficulties the US Securities and Exchange Commission (SEC) experienced when it implemented Dodd-Frank’s conflict minerals provision. The U.S. law proved contentious: The SEC’s final rule (explained here) followed two years of public debate, and major US business organizations, including the US Chamber of Commerce, have sued to overturn the law and SEC regulation. As US companies have scrambled to meet Dodd-Frank’s first reporting deadline of May 31, 2014, many have complained of costly or insurmountable challenges they face in identifying the minerals’ complete chain of custody. Against that backdrop, the Commission’s delay and decision to opt for an alternative approach is unsurprising.

The Commission’s proposal addresses the same four minerals as Dodd-Frank -- tin, tantalum, tungsten (and their ores), and gold. Products such as automobiles,consumer electronics, medical devices, and jewelry incorporate one or more of the four minerals. The Commission’s proposal also contemplates use of the same Organisation for Economic Co-operation and Development (OECD) framework for due diligence on mineral purchases as does Dodd-Frank. The Commission’s proposal differs from Dodd-Frank and the SEC rule, however, in multiple respects:

It applies to companies that import the four minerals into Europe rather than those that manufacture or contract to manufacture products for which the minerals are necessary to functionality or production. There are fewer importers (400 according to the Commission’s estimate, whereas the SEC projected 6,000 U.S. filers would be impacted by its reporting requirement) and they are closer to key points in the supply chain, such as the minerals’ smelter or refiner.

It pertains to minerals from any “conflict-affected” or “high risk” area rather than solely minerals from the Democratic Republic of the Congo and surrounding countries. The Commission proposal rejects Dodd-Frank’s geographic limitation, in part due to evidence that risk-averse US filers preferred avoiding Central Africa altogether instead of attempting to establish that minerals from that region were conflict-free.

The proposed new EU Regulation will not be finalized until approved by the European Parliament and the Council, a process that will likely take well into 2015. Nonetheless, the Commission draft Regulation is extremely important for several reasons. It clarifies what will likely be expected of importers of conflict minerals into EU Member States and signals that the EU is likely to focus far less on product manufacturers than the United States has done. The draft EU Regulation may in its final form expand the scope of world regions where due diligence will be expected. More generally, the EU Regulation is likely to increase global expectations for clarity and transparency relating to the sourcing of tantalum, tin, tungsten, and gold. US companies, whether they are subject to Dodd-Frank or the EU rules, or perhaps both, will want to consider finding ways to capture and store the sourcing information provided by importers that submit reports under the EU system. As many companies have learned as they prepare for the first public disclosures under Dodd-Frank, the more information the better to facilitate compliance with reporting requirements.

January 28, 2014

This month the UK Advertising Standards Authority (ASA) highlighted the rules around the advertising of prescription-only medicines (POMs) as the ASA clamped down on two website-based advertising campaigns for the POM Botulinum Toxin A (more commonly referred to as “Botox”).

The advertising of POMs is prohibited under UK regulations (for example, the Human Medicines Regulations 2012 (HMRs)) and Rule 12.12 of the UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing (Code). However, material of a purely factual and/or informative nature does not fall under the scope of the HMRs as “advertising” and so could not be considered an advertisement for the purposes of Rule 12.12. Reference or factual/informative content is therefore permitted, as long as it is a true reflection of the drug licence.

Two health and beauty clinics, Dermaskin Clinics and HB Health of Knightsbridge, made references to Botox on the home pages of their websites, with links through to pages with further details about the treatment. The Independent Healthcare Advisory Service and the ASA challenged whether the references breached the Code by advertising a POM to the public.

The ASA was concerned that visitors to the websites could access information about Botox directly, rather than following a consultation with a doctor. Furthermore, although some of the information provided was fair and factual, there was also promotional wording such as “revolutionary treatment”, “astonishing results” and “Botox dramatically softens facial lines and wrinkles leaving you looking younger”. Furthermore, POMs are only licensed for use of the therapeutic indications detailed in their summary of product characteristics (“SPC”) and Botox is only licensed for the treatment of glabella (frown) lines in the area of cosmetic therapy. However, the websites discussed the treatment of various other facial lines and wrinkles, such as “forehead wrinkles”, “bunny lines on the nose” and “smokers lines around the lips”.

Both advertisers agreed to remove references to Botox from their home pages, but the ASA felt that this did not resolve the issues. Dermaskin Clinics argued that references to treatment areas should take into account normal clinical practice, given that these uses of Botox are common amongst specialists and doctors.

The ASA ruled against the advertisers. Although the ASA understood that it was common in clinical practice for Botox to be used in areas not specified in the SPC, it considered that such references on the websites went beyond factual information that was representative of the SPC and constituted a promotion of a POM to the general public and a breach of the Code. The ASA warned both advertisers to take special care when referencing Botox in the future and were instructed to remove the adverts in their current form.

Although both of these rulings relate specifically to Botox, they provide useful guidance on the Code requirements around advertising of POMs more generally. There are three key takeaway points:

A medical consultation must be the subject of any advertisement, with the POM only referenced as a potential outcome.

Any information relating to a POM must be presented in a balanced and factual way and in all cases must reflect the content of the drug licence/SPC.

December 23, 2013

BMW UK Ltd (BMW), trading as MINI UK, has been reprimanded by the UK’s advertising regulator, the Advertising Standards Authority (ASA), for encouraging dangerous driving in a recent roadside poster for their MINI car located beside the A532 road in Crewe (Cheshire, UK).

The large poster (just over 12 metres wide) showed a MINI car with blurred red and white lines trailing from behind, with the text “THE A532. IT’S MILES MORE FUN IN A MINI.”

A single complaint was made to the ASA that the poster was irresponsible and harmful as it depicted and encouraged dangerous driving.

In response, BMW said that the visual showed the car being driven appropriately and that the red and white lines, emanating from the cars’ lights in the night time setting, demonstrated the long distances that the car could be driven, rather than promoting excessive speed or unsafe driving. They said that the poster communicated the fun that could be had driving a MINI on ordinary local roads and the word “fun” referenced their brand values and how it felt to drive a MINI.

The ASA disagreed. It acknowledged that the red and white lines appeared to emanate from the car’s rear lights, but noted there were also a large number of other coloured lights that gave an impression of a fast moving vehicle and this was exaggerated by the wide format of the poster. Examining the poster as a whole, it was the ASA’s opinion that the text (the word “fun”) together with the image of a car moving at excessive speed in a built up environment was “irresponsible” and “likely to encourage dangerous driving”.

The ASA ruled that the poster must not appear again its current form and that speed should not be the focus of BMW’s advertising methods.

This finding highlights the need to scrutinise how advertising is perceived by viewers to confirm it is in line with the desired message and, more importantly, the UK advertising codes. Still images can have as much of an effect as video footage and care should be taken to ensure compliance.

October 30, 2013

Last year UK supermarket chain Sainsbury’s was rapped on the knuckles twice by the UK’s Advertising Standards Authority (the ASA) for misleading statements and comparisons with rival supermarkets in advertising for its “Brand Match” campaign (May and October 2012 - see our report here). Sainsbury’s has now been dealt another blow on the same campaign.

The latest TV ad showed various people shopping at Sainsbury’s, Tesco and Asda. A voice-over said “Deals. Everywhere aren't they? But wouldn't it be nice if we didn't have to go everywhere to get them? That's why Sainsbury's Brand Match matches comparable branded deals at Tesco and Asda. So spend £20 or more and we'll tot up the prices of brands in your basket and if you could have paid less at Tesco or Asda, even because of a deal, we'll give you a coupon for the difference.”

Two viewers complained that the ad was misleading as they understood that the promotion compared the total cost of a branded shop (i.e. all branded items bought in one go) and that any coupon for the difference would be reduced if any branded products on offer at Sainsbury’s were cheaper than at Asda or Tesco, which meant that customers would still need to shop around for the best deal. Sainsbury’s disputed this and claimed that the voice-over and on-screen text made it clear that the comparison was of the total price of the branded shop.

Assessing the ad, the ASA considered that the overall message was that customers would not have to shop around to get the benefit of deals across the three supermarkets. Claims such as “those deals you love, just now in one place” and “wouldn’t it be nice if we didn’t have to go everywhere to get them?” reinforced the message.

They went on to highlight some of the technicalities of the promotion. Although the comparison and voucher were based on the total cost of all branded goods in the customer’s basket, the value of the voucher could be reduced if any individual items were cheaper at Sainsbury’s. This allows for situations where, despite the overall cost of a branded shop being cheaper at Tesco or Asda, the resulting voucher for the difference could be reduced, even to zero, by just one item being cheaper at Sainsbury’s.

The ASA concluded that the ad was misleading as the fact that a customer would, in some situations, still have to shop around in order to get the cheapest prices, was not made clear and indeed contradicted the overall message of the ad.

As Sainsbury’s clash with the ASA for the third time over the Brand Match campaign, this ruling highlights the need to take account of implied claims in addition to those expressly stated. The customer’s impression of an ad is just as important when it comes to meeting the requirements of the UK Code of Broadcast Advertising.

October 10, 2013

eSmart Media Ltd trading have been reprimanded for using fear to sell
private health insurance on its health insurance comparison website,
www.bestmedicalcover.co.uk.

The website included a series of quotes from newspaper articles on a National
Health Service (NHS) England review of the quality of care and treatment
provided by 14 hospital trusts in England.
The website referred to the situation as the “NHS crisis”, highlighting
the “staggering 13,000 deaths”, that these were “likely to have been a tragic
consequence of negligence” and concluded that private health insurance could
“save your life!”.

The UK’s regulator of advertising, the Advertising Standards Authority
(ASA), received a large number of complaints challenging whether the
references to the review misrepresented the report and whether the advert used
an appeal to fear to sell insurance. The
relevant advertising code prohibits
marketing communications from causing fear or distress without justifiable
reason.

eSmart Media responded that the quotes and figures were taken from
various articles in leading UK newspapers, acknowledging that these had since
been disputed, and commented that pointing out documented examples of poor NHS
treatment was important for the public.

The ASA upheld the complaints to eSmart’s statements. As the references to the review were
presented as factual, eSmart Media were required to hold robust evidence to
support the claims and providing newspaper articles was not sufficient. The ASA concluded that the overall impression
of the website along with the references to excess deaths, “NHS crisis” and how
private health insurance could “save your life” used an appeal to fear to sell
without any justifiable reason.

There is a fine line in the selling of products like insurance between
providing the consumer with reasons why they should buy and scaring them in to
a sale. This ruling from the ASA (as the
organization even states itself) shows that marketers were entitled to refer to
consumer concerns that might be reasons to purchase as long as they didn’t tip
the balance in to fear and distress.

September 10, 2013

The UK Advertising Standards Authority
(ASA) has banned a Tesco advert apologising to its customers for its part in the
horse meat scandal because the ad implied that the entire food industry had
issues with contaminated meat.

Tesco Stores Ltd (Tesco) had taken out a two-page
national press ad following a scandal where some of its meat products, such as
burgers and bolognese, had been found to contain traces of undeclared horse
meat. The ad in question stated “The
problem we’ve had with some of our meat lately is about more than burgers and
bolognese. It’s about some of the ways we get meat to your dinner table. It’s
about the whole food industry.”

Two complainants (one an independent
butcher) challenged whether the line “it’s
about the whole food industry” was misleading because it implied that there
were issues with meat standards across the whole industry, effectively
spreading the blame across the sector, and because it unfairly denigrated food
suppliers who had not been implicated in the supply of mislabelled meat
products.

In its defence, Tesco argued that the
advert was intended to show it was taking the horse meat issue seriously and was
listening to its customers, as well as showing their commitment to simplifying
and improving their supply chain. Tesco said that there was no reference to any
other producer, retailer or supplier and that they had not attempted to shift
or share the blame and they claimed that the ad focused solely on Tesco by
using words such as “problem we’ve had” and “our meat”. That said, they also pointed
out that the advert acknowledged that Tesco had not operated in a vacuum and that
the meat contamination issue was due to systematic failings in the food supply
chain. They also said that new legislation to deal with the problem would cover
the whole European food industry.

While the ASA concluded that the advert
had not denigrated other suppliers as no specific marketer or product had been
named, they nevertheless considered that the ad did imply that all food
retailers and suppliers were likely to have sold contaminated meat products,
not just Tesco, when in fact relatively few instances of meat contamination had
been found by the time the ad appeared. The references to the “whole food industry” were therefore
misleading and the fact that the whole food industry would be governed by new
legislation did not in itself spread the blame across the whole sector.

These complaints serve well to highlight
the on-going sensitivity and concern across the food industry. Whatever Tesco’s
motives in choosing the wording of the advert, whether desperation not to be
seen as the sole perpetrator or just an attempt to draw a line under the
debacle gone horribly wrong due to sloppy drafting, the ruling serves to illustrate
how broad brush claims can land marketers in hot water. General and broad
claims should be avoided unless they are capable of objective substantiation
(via documentary evidence) and adverts must not mislead customers.

June 04, 2013

The
UK advertising regulator, the Advertising Standards Authority (ASA), has published its 2012 Annual Report outlining its activities
over the past year and its focus going forward.

At
the heart of the report, the ASA sets out the “big five” priorities on which it
intends to focus over the coming year, all of which concern misleading
advertising in one form or another. The focus on misleading advertising is not
surprising given that approximately 70% of all the cases which the ASA dealt with
in 2012 concerned misleading advertising.

The recent development of
daily deal websites, which have
exhibited “widespread problems” such
as not making significant terms and conditions clear and exaggerating savings
for consumers;

Misleading
pricing,
such as “bait-pricing” and “drip-pricing” structures where subsequent charges
are added to the original advertised price at later stages of the transaction
(e.g. value added tax, booking fees and other surcharges);

Ensuring testimonials and reviews used are
genuine, and improving transparency around paid endorsements, for example
paid-for celebrity endorsements on social media sites (see, by way of example,
our article on professional English footballer Wayne Rooney’s tweets for Nike here); and

Preventing misleading health claims which can have
serious consequences by discouraging people from seeking proper medical advice.

Seemingly
free trials, misleading health claims and misleading pricing are age-old and
continuing concerns. Added to these are
new problems raised by the use of social media for advertising. These include, for example, celebrity
endorsements via Twitter and brands’ “fan-pages” on Facebook, as well as the growth of daily-deal sites such as
Groupon (the popular coupon website). These are fresh concerns for the ASA, but
also of prime interest to businesses and marketers looking to advertise in new
and novel ways. The key is to use these new spaces effectively, appropriately
and lawfully.

The
rules on misleading advertising are long and fairly complex; however the bottom
line is that advertising (in whatever form it appears, for example whether
online or in print form) should be decent, fair, honest and truthful and not
mislead customers by exaggerating the benefits or omitting key information
about a product or service or by comparing competitor products unfairly. We can
expect the ASA to take a hard line on misleading advertising this year and so
it is important to keep on the right side of the line.

April 22, 2013

The European Union (EU) Article 29
Working Party the independent advisory body to the
European Commission on data protection and privacy, published an Opinion
on 27 February 2013 on the data protection risks and recommendations for those
offering mobile applications to users in the EU.

The Opinion reflects the fact that
apps have become increasingly popular in recent years, with a reported 1,600
new apps being added to app stores daily and with the average smart device
users downloading 37 apps. Reams of
personal data may be processed when users use a mobile app, from the personal
data contained on the smart device on which the app is loaded and from the app
itself (e.g. photos, contacts, location data, billing information, browsing
hisroty, email, SMS, call log etc.).
Developers may be able to collect personal data continuously and
seamlessly and access and write contact data, send email, SMS, record audio,
use the camera and prevent the smart device from sleeping via mobile apps. However, despite apps processing significant
volumes of personal data, the Working Party considers that many apps and app
developers are not complying with EU data protection legislation, particularly
rules on consent, transparency and security. Indeed, a study commissioned in
June 2012 showed that only 61.3% of the top 150 apps had a privacy policy at
all.

To that end, the Working Party has
put forward a range of recommendations for each of the parties involved in the
development and distribution of apps, from the app developers to the smart
device and operating system (e.g. Android, Win8) manufacturers and the app
stores.

You are an app developer based
outside the EU, do you need to comply?

In a word, yes. A key finding of the Working Party is that the EU rules
(currently Directive 95/46/EC as implemented by the 27 EU Member States’
national laws) do apply to any app which is targeted at users within the EU,
regardless of the location of the app developer or app store. This is because
the Directive (and the national legislation implementing the Directive) bites
where data controllers use “equipment” in the EU for the processing of personal
data and, in the case of mobile apps, the smart device on which the app is
installed and used is treated as the relevant “equipment” for processing
personal data. Therefore a US app
developer offering its app for sale/download to customers within the EU would
need to comply with EU rules.

What are the key
findings/recommendations?

Clear information: the
Working Party is concerned with the lack of information about data processing
made available to users (e.g. the types of data processed, the purposes for
processing and data retention periods).This
should be made available in a clear and unambiguous format prior to
installation of the app (e.g. in the app store) and apps/app developers should
not alter the purposes or types of data collected without seeking further
consent from the end-user. Essential information about data processing should
also be contained within the app following installation, for example in a
privacy policy. A layered or “granular” approach for data protection notices is
preferable (e.g. several pop-up boxes allowing users to consent to processing
of certain types of data but refusing others).

Consent:
when installing an app, certain information may placed on the device (e.g.
“cookies” or similar tracking technology). Users should be given the choice to
accept or refuse these and to accept or refuse the processing of their personal
data, e.g. via a “Yes, I accept” option during installation of the app.

Security:
app developers, app stores, operating system and device manufacturers and third
parties should ensure that they have appropriate organisational and technical
measures to ensure the security of the data they process. They should adopt a
“privacy by design” and “by default” approach.

Outsourcing arrangements/arrangements with third parties: app developers may outsource some or all of their data
processing activities to a third party (e.g. external data storage provider,
customer service provider, analytics providers etc.). Data controllers must
ensure that the third party complies with applicable EU rules when it processes
data on their behalf, for example via a data processing agreement.

Children:
the Working Party appreciates that certain apps are designed for and target
children specifically. However, app developers and other data controllers
should pay attention to national age limits for processing personal data
without parental consent (this may vary between 12 and 18 depending on the EU
Member State) and consider the child’s level of understanding of data
processing. Where relevant, parental consent to processing should be obtained.

The Opinion offers some useful
guidance for all the relevant players involved in app development and
distribution, in particular the need to provide clear and unambiguous
information about data processing up front (on the app store and in app) and to
ask for consents prior to installation, but perhaps of most interest is the
confirmation that non-EU apps must comply with the EU rules where they are
installed/used by users in the EU. The Opinion also refers specifically to the
new concepts of “privacy by default” and “by design” which were introduced by
the draft data protection Regulation (which will, if and when adopted, replace
Direct 95/46/EC), and which would broadly require app developers to build in
compliance with the EU data protection law by design, rather than tacked on as
an afterthought.

March 11, 2013

New
rules governing online behavioural advertising in the UK came into effect
in February, with the aim of giving consumers greater transparency and
control over the use of their information for targeted advertising. In this
blog, we explain what the rules require and what the changes mean for
advertisers and website owners/operators.

What
is online behavioural advertising?

Online behavioural advertising (OBA) is the use by advertisers of information collected about a web
user’s online behaviour, for example what websites they browse, links and
adverts they click on, search terms entered etc., to generate adverts tailored
to that individual’s identified interests and preferences. In practice it means
that one user will be served different website advertising to another based on
their previous browsing history.

OBA is usually done through the use of
“cookies” (small data files which are served on users’ browsers and devices
when they visit a website), so these new rules, which will be enforced by the
UK Advertising Standards Authority (ASA), work to supplement and
complement existing legislation on cookies and other tracking technologies,
namely the E-Privacy Directive (2009/136/EC) which is implemented in the UK via
the Privacy and Electronic Communications (EC Directive)-Amendment
Regulations 2011 (the PEC Regulations). Broadly, the PEC Regulations require
that cookies and any similar tracking technology can only be placed on
computers/devices where the user has given their informed consent (e.g., via an
‘opt-in’) to the collection of their data in this way (see our previous blog on
cookies and the Directive here).
In addition, those collecting users’ personal information for OBA must also
comply with data protection/privacy laws.

What
are the main requirements?

The new OBA rules (contained in Appendix
3 to the UK Code of Non-broadcast Advertising, Sales Promotion and Direct
Marketing (CAP
Code)) implement the EU Framework
for Online Behavioural Advertising launched by the Internet Advertising
Bureau (IAB) in April 2011. The EU-wide regulation of OBA means that companies
using behavioural advertising as a tool across the EU will also need to comply.

Most of the new obligations fall on “third parties”, those
organisations that engage in OBA via websites other than their own. This means
that retailers whose goods are the subject of the targeted adverts on other
websites (i.e. not their own) are not directly on the hook under the new rules,
but they may be expected to cooperate with the ASA in cases where the ASA is
unable to track down the third party OBA provider.

Broadly, the main requirements are that consumers/web users should
be offered the choice to opt-out of being targeted using OBA. If consumers do
opt out, their information will not be collected for OBA purposes and they will
not be served targeted ads (although they would still see non-tailored ads). To
achieve this, adverts delivered using OBA must
have a notice in or around it telling users that they are collecting and using
web viewing behaviour data and third parties must give a clear a comprehensive notice about the
collection and use of data for the purposes of OBA on its own website. Both of
these notices should provide a mechanism enabling the user to opt-out.

Other requirements are that OBA should
not be targeted at children aged 12 or under and explicit consent is required
if third parties use technology to collect and use all data traffic from users
on a particular computer (i.e. website history across all websites captured).
This type of OBA is usually carried out at ISP level and is the most controversial
form of OBA.

Interestingly, the new rules do not apply
currently to mobile phones or other handheld devices (e.g. e-readers and
tablets) although it seems likely that the rules will be extended at some point
in the near future.

Enforcement

The CAP Code (including the new OBA rules) is
enforced by the ASA, which is a self-regulatory body. The ASA can take steps to
remove or have amended any adverts that breach the rules.

Arguably the new rules have a lot less bite than
other existing regulations regarding the use of cookies and data protection,
particularly as they are aimed predominantly at third party OBA providers and
are part of the self-regulatory CAP Code. However advertisers, retailers and
website operators who do not deliver their own OBA should bear them in mind
and, in particular, keep an eye on any third parties they use for OBA.

February 20, 2013

On February 13, 2013, the EU Commission announced a new legislative
package,
which includes a proposed Regulation on Consumer Product Safety that will replace
the current General Product Safety Directive (GPSD). It also includes a proposed Regulation on
Market Surveillance. These proposals are
for Regulations, which would apply directly in all EU jurisdictions rather than
the current regime of Directives which are implemented through separate
national legislation.

The draft Consumer Product Safety Regulation (CPSR) applies to consumer products,
which it defines as products intended for consumers; likely to be used by
consumers even if not intended for them; or to which consumers are exposed in
the context of a service provided to them.
Key changes include:

The GPSD
term ‘producer’ has gone - economic operators are now named i.e. manufacturer,
distributor etc. and owe specific obligations.
This change brings the regime for general product safety in line with
that which is already in place in other product sectors, such as toys.

New measures are included to
enhance product identification and traceability, such as indication of origin
labelling.

The general product safety requirement (i.e. the obligation only to
place ‘safe’ products on the market) is retained. Like the GPSD, the CPSR will apply save where
sector-specific legislation provides equivalent protection.

To an extent ‘proportionate to the potential
risks’ of their products, manufacturers will be obliged to:

Carry out sample testing of products made
available on the market;

Investigate complaints and keep a register
of complaints, non-conforming products and product recalls;

Keep distributors informed; and

Establish technical documentation regarding
their products which must contain the necessary information to prove that their
product is safe.

Although enforcement should be more consistent, given the
overarching Regulation, penalties for infringement will be set by Member States. They are required to lay down rules establishing penalties that are “effective, proportionate and dissuasive”,
which distinguish between sizes of economic operator, and may include criminal
sanctions for serious infringements.

The proposed Market Surveillance Regulation seeks to make enforcement more uniform and streamline market surveillance
procedures by bringing them together in a single instrument. It is planned that it will apply to all
consumer products other than food and medicines.

The legislative package envisages simplifying the process of
updating standards and aligning the new CPSR rules with market surveillance
rules for all consumer products. The
measures are expected to come into force circa 2015.

The EU Commission has also announced a “Multiannual action plan for
market surveillance covering the period 2013-2015. This contains 20 proposed actions, including expanding the use of
cross-national web-based databases (i.e. RAPEX and the ICSMS database) to
exchange and record product safety information; a more sizeable central
bureaucracy; more multinational cooperation and taskforces; a research focus on
internet selling; and more joined up and effective use of customs procedures to
control products entering the EU.

February 01, 2013

Since the European Commission published
its proposals
for the reform of EU data protection laws in January 2012, commentators have
been assessing the changes and speculating on what effects these might have on
businesses. A year on and the latest area under the spotlight is social
networking sites.

Background

It is nearly 20 years since the original
Data Protection Directive (Directive 95/46/EC) was implemented in the EU and
the Regulation aims to make data protection laws more relevant to today’s world
where individuals voluntarily share a vast amount of personal information
online, for example, through social networking sites.

The Commission wants to encourage
‘e-business’ by building trust in the online environment and one way of
accomplishing this, they hope, is by protecting individuals against threats to
their personal privacy associated with this ‘online world’.

Social
networking sites and your personal data

Many websites, including social
networking sites, rely on information gleaned from user data (for example
users’ preferences) which is sold to generate ad revenue. Generally, users
consent to the use of their personal information for such purposes when they
access the site and sign up (consents often being contained in the site’s
relevant T&Cs) and sites can change their T&Cs to modify how they use
personal data after users have signed up.

How
might the Regulation (as currently drafted) affect social networking sites?

Sites will be restricted as to the type
of data that can be collected. This must be limited to the minimum necessary
and collected only for specific, explicit, limited, legitimate purposes. So
collecting data on users’ preferences to generate ad revenue may not be
considered ‘legitimate’.

Users will be entitled to ‘privacy by
default’ (which, in the context of social networking, would mean that the
default settings must protect the privacy of users and users would be required
to take an active role in what they choose to share in the online environment
of the networking site) and sites will not simply be able to claim the right to
use personal data merely because a user has ‘consented’ through accepting a
site’s T&Cs. Additionally, sites will not be able to change these T&Cs
after users have signed up in order to give themselves greater rights over
personal data.

Users will also be able to withdraw their
consent to the processing of their personal data and request that it be
deleted/removed permanently. Undoubtedly this would create additional costs and
burdens for website owners, who will not be allowed to charge a fee to carry
out the request, particularly as there would also be an obligation to track
down and inform third parties of the user’s request where the website owner has
made the personal data public.

The upshot of these proposed changes is
that if sites cannot use personal information in a way that is profitable or
useful for advertising purposes, users may have to pay to use such sites.
Charging may also be necessary to cover the hefty fines (up to 2% of annual
worldwide revenues) companies may face for breaking the rules.

Next
steps

The European Parliament will shortly vote
on the adoption of the General Data Protection Regulation (2012/0011) which
will replace the existing Personal Data Protection Directive. Once adopted, the
Regulation is expected to come into force later this year and member states
will then have 2 years to enforce the legislation.

November 27, 2012

The editors of the Consumer Advertising Law Blog want to let our
readers know about an upcoming webinar that may be of interest to you,
entitled, "Pricing Promises: The Impact of Competition Law ". [Full
disclosure: Our firm, Arnold & Porter LLP, is sponsoring the event]. This event may be of particular interest to manufacturers and retailers who sell products in the UK.

The UK Office of Fair Trading recently published a report on the competitive
analysis ofvarious types of pricing promises, including: most favoured nation (MFN) clauses; so-called "English clauses"; lowest market price promises; and the imposition of price obligations tied to other suppliers'
products. This webinar will provide key observations made in the
report about pricing agreements and guidance on
when such agreements may raise competition concerns.

November 08, 2012

The UK’s Advertising Standards
Authority (ASA) rapped UK retailer Boots UK Ltd over
advertising for its “Little Me Organics” products on its website. The
text on the website read “Little Me Organics Oh So Gentle Hair and Body Wash has
pear, mallow & organic aloe vera to clean and moisturise your baby's delicate
hair and sensitive skin”. A single complainant challenged whether Boots’ claim that the
product was “organic” was misleading, because it
implied that it met an independent organic standard. In response, Boots
argued that “Little Me Organics” was the brand name and that there is no legal
definition of what constitutes “organic” for cosmetics in the UK. They also
said that they had taken the challenged claims directly from the product label;
they did not see how that differed to an in-store display. Boots supplied the
ASA with certification for the organic ingredients in the product from four
independent bodies (The Soil Association, US. Mayacert, Quality Certification
Services and Eco Cert) and provided a percentage breakdown for the product’s organic
content.

Assessing
the claim, the ASA accepted that the product contained organically-certified
ingredients and that there is no legal standard for organic cosmetics in the
UK, but said that consumers would understand “Little Me Organics” to mean that the
product either met an independently defined organic standard or used a high
proportion of organic ingredients. As this was not the case, and the product
contained less than 5% organic content, the ASA concluded that the advertising
was misleading. Banning the advert, the
ASA told Boots not to promote the product in future marketing communications
unless they included a prominent statement disclaiming the implied “organic”
claim.

The popularity of organic
cosmetics is growing amongst consumers, however this ruling highlights how much
of a minefield organic claims can be. The take-away point here is that any
“organic” products should meet an independently defined organic standard or
should contain a high percentage of organic ingredients; otherwise the claims
are likely to fall foul of the ASA. Further, brand names should be chosen
carefully to avoid being accused of green washing. The decision is also
an important reminder that the ASA is able to investigate and adjudicate on
claims that appear on advertisers’ own websites, as well as other types of
printed and broadcast advertising.

This website is a joint project by the EU and Organisation for Economic
Co-operation and Development countries, including the US, Australia and
Canada. According to press releases and
information on the site, this searchable website will provide consumers,
businesses and Regulatory Authorities with access to a centralised database
containing key information on recalled products, the data on the website being
supplied from the EU’s RAPEX system and from similar sources maintained by the
US, Canadian and Australian authorities.

Manufacturers, distributors and retailers ship consumer products
worldwide. When there is a safety issue
with a product and a recall is either mandated or entered into voluntarily
following discussions with the regulators in one country, this will often trigger
a need to carry out recalls in multiple jurisdictions. This requires an awareness of the legal
requirements, guidance and attitude to recalls in those other
jurisdictions.

It has long been the case that national and international regulatory
authorities have cooperated and exchanged information on consumer product
recalls. For example, within the EU, all
EU Member States are required to exchange information relating to serious risks
to products via the European Commission. In addition, the US Consumer Product
Safety Commission (CPSC) regularly communicates with regulatory authorities in
Canada and other countries concerning recalls and safety investigations,
subject to limits on CPSC’s ability to share non-public information.

In a globalized market it can be difficult for manufacturers to
handle product safety issues and the need for product recalls or withdrawals on
a purely national basis. Pressure from regulators, consumers and the media to
apply a recall globally may occur in some instances even if safety standards
and recall criteria differ among countries.
Further, such pressures may
increase as information on worldwide product recalls becomes more widely
available through international resources such as the new Global Recall
Portal. Manufacturers and suppliers
should consider the impact of product safety issues in all their markets, to
ensure that any contacts with regulators, notifications of consumers, and
inquiries from the media are appropriately managed and coordinated.

October 17, 2012

The UK’s Advertising Standards Authority (ASA) has banned
the supermarket Sainsbury’s television, internet, email and newspaper
advertising for its “Brand Match” campaign over its misleading statements and
comparisons with rival supermarkets. The Brand Match campaign uses
independently verified price data to calculate the cost of a basket of branded
goods compared with the cost of the same basket at competitor supermarkets,
Asda and Tesco. If the branded goods would have been cheaper at either rival,
the shopper would receive a voucher at checkout equal to the value of the
difference and redeemable the next time they shop at Sainsbury’s.

Several complainants (including Tesco) challenged whether
the claim that shoppers would not pay more for branded goods at Sainsbury’s
than at Asda or Tesco was misleading, when the vouchers confirmed that they
would, in some instances, have paid less for the same shop elsewhere. Other
complaints challenged whether the adverts misleadingly implied that the brand
match applied to all branded purchases, when it was only available to shoppers
spending a minimum of £20, and that the claim “Save at Sainsbury’s with Brand
Match” was misleading as the prices were matched only, not bettered. In
response, Sainsbury’s argued that the Brand Match campaign was “genuine, clear
and concise” and had been well received with nearly 100 million coupons issued,
which they believed indicated that consumers had understood the offer.

The ASA disagreed, noting that the claims that shoppers
would not pay more for brands at Sainsbury’s than at Tesco or Asda were likely
to be interpreted as suggesting that they would not pay more at the time of
their shop, which was not the case as they merely received a voucher indicating
the difference in price, and which required them to make another purchase at
Sainsbury’s within the next two weeks to make the saving. The ASA also said
that the wording “Save at Sainsbury’s with Brand Match” was likely to be
interpreted at suggesting that branded goods would be cheaper at Sainsbury’s.
As prices were only matched, not bettered, and in some cases shoppers would pay
more, the adverts were misleading. Further, the requirement to spend a minimum
of £20 was not made clear in all adverts. Banning the adverts, the ASA told
Sainsbury’s to “ensure future ads did not imply consumers would not pay more,
or would save money, if that was not the case”.

The UK advertising codes require that
advertising should be clear, honest and not misleading. Where, as here, the
promotion has any significant conditions (e.g. a minimum £20 spend or the
saving taking the form of a redeemable voucher on a future purchase) they
should be made clear to consumers in the advertising, not buried in terms and
conditions. The decision also serves to remind how complaints can be brought
directly by disgruntled competitors, not only by members of the public.

August 06, 2012

The UK’s Advertising Standards Authority (ASA) has banned a TV advert for the cereal Weetabix, for misleading customers over its health claims. The advert in question, which was broadcast in July 2011, claimed that the cereal was “Packed with slow release energy to keep you going”. Several viewers challenged the claim as they understood Weetabix to have a high glycemic index (GI) rating. Weetabix produced statistics from 2005 from the Food and Agricultural Organization of the UN (FAO) to show that the cereal had a GI rating of 47 when eaten with semi-skimmed milk, which was lower than the British Nutrition Foundation’s level for a low GI food (55 and below). They also produced the results of a 2012 study which gave the cereal a GI rating of 41 when eaten with semi-skimmed milk. Clearcast (the UK body that pre-clears most TV ads) said that they had followed advice from a nutritional consultant who said that Weetabix had a low GI when eaten with milk and they took the view that as most consumers would eat the cereal with milk, as was shown in the advert, the claim was supported.

The ASA disagreed, holding that while Weetabix eaten with semi-skimmed milk had a low GI, some consumers might infer from that the claim “Packed with slow release energy” related to the Weetabix biscuit itself and not only when consumed with milk. The ASA said that the presentation of the claim was ambiguous therefore, and in the absence of further qualifying evidence, was likely to mislead.

With the health foods market continuing to grow, this ruling sounds a caution to food manufacturers. As with other advertising, health food claims must be accurate, true and capable of substantiation, but they must also be suitably qualified. Broad claims are unlikely to pass muster with the ASA or the EU’s toughened rules on health claims (see the recent EU Regulation No 432/2012 on health claims made on foods), which came into force on 14 June 2012. If a health claim relates to a food consumed in a certain way (e.g. only in accordance with manufacturers’ instructions, rather than as sold), this must be made clear on the face of the advertising.

July 27, 2012

With the 2012 Olympics just about to start (27 July 2012) and the eyes of the world on London, now is a good opportunity to discuss how ambush marketing is treated in the UK.

“Ambush marketing” is the term given when third parties attempt to piggyback off a major event by suggesting that they are directly or indirectly associated with it, in order to benefit from the goodwill, prestige or popularity of the event, without having to pay a licence or sponsorship fees for the privilege. It can have huge benefits for companies that did not secure official sponsorship, either because they considered the fees too high or, as with the Olympics, there is only room for one official sponsor per market segment (e.g. sport, food, telecoms etc.). These ambush campaigns often attract the attention of consumers with very little cost to the ambushing brand owner compared to the cost of paying to be official sponsor.

There have been a number of high-profile and successful ambush marketing campaigns linked to the Olympics in the past. At the 1996 Atlanta Games, Nike plastered the city in billboards, handed out Nike flags for fans to wave at cameras and set up its own “Nike Village” next to the official sponsors’ village. 22% of television audiences cited Nike as the official sponsor, compared to only 16% who cited Reebok, which was, in fact, the official sponsor. As a result of these tactics, the International Olympic Committee (IOC) now takes a hard line on ambush marketing.

So how is ambush marketing treated at the London 2012 Games? There is no specific legislation dealing with ambush marketing in the UK generally, although there three pieces of UK legislation concerning the Olympics, Paralympics and the London 2012 Games. In the absence of such specific legislation, ordinary intellectual property rights (such as registered trade marks, copyright, passing off etc.) or contractual rights may assist brand owners.

The Olympic Symbol etc. (Protection) Act 1995 and the London Olympic Games and Paralympic Games Act 2006 are designed to prevent “unauthorised commercial association” with the Olympics and the London Games. The upshot of these is that there are restrictions over use of certain words or logos associated with the Games without authorisation, such as the main Olympic symbol (the five circle emblem), the motto “Citius, Altius, Fortius” or the words “Olympic(s)”, “Olympian(s)” and “Olympiad(s)” etc.

The London Olympic Games and Paralympic Games Act 2006specifically prevents the use of any representation, verbal or non-verbal, which suggests a link/association with the London Games. The Act sets out a number of non-exhaustive expressions which the UK courts may take into account as being suggestive of an “association”, such as “Games”, “Two Thousand and Twelve”, “2012”, “Gold”, “Silver”, “Medals”, “London”, “Summer” etc. The result is that even innocuous marketing campaigns, such as “Watch the 2012 Games here this summer” or “Get fit in time for the 2012 Games this summer” run the risk of falling foul of the legislation. Businesses, marketers and advertisers are largely prevented therefore from using representations which may cause the public to associate them with the Olympics, Paralympics or the London Games, unless they are an official sponsor or have the sanction of the London Organising Committee of the Olympic Games (LOCOG).

Whether these legislative attempts to quash ambush marketing achieve the right balance between the rights of official Olympic sponsors and those of other companies is sometimes questionable; in the months leading up to the London Olympics, LOCOG have been very active in enforcing these specific pieces of protective legislation against everyone, from large businesses and small family-run enterprises. In the coming days, it is clear is that advertisers, brand owners, advertising agencies and PR companies must take extra care if they wish to run a marketing campaign or even, that is in any way looks to tie it to the Olympics or the London Game - the world and LOCOG are watching.